mailing list of musl libc
 help / color / mirror / Atom feed
From: Rich Felker <dalias@libc.org>
To: Markus Wichmann <nullplan@gmx.net>
Cc: musl@lists.openwall.com
Subject: Re: [musl] getaddrinfo/AI_ADDRCONFIG with ipv6 disabled
Date: Fri, 30 Apr 2021 15:50:26 -0400
Message-ID: <20210430195026.GZ2546@brightrain.aerifal.cx> (raw)
In-Reply-To: <20210430184917.GC2031@voyager>

On Fri, Apr 30, 2021 at 08:49:17PM +0200, Markus Wichmann wrote:
> On Fri, Apr 30, 2021 at 12:59:39PM -0400, Jeffrey Walton wrote:
> > God forbid they actually provide a selinux_errno to check for SELinux errors...
> >
> > Jeff
> 
> Well, that would be difficult. Although the concept of "nicer" errors
> has been floated in the past, and having some kind of parametrization
> for errno would be helpful (e.g. if ENOENT is returned, actually saying
> which file could not be found would be helpful. Because it's not always
> obvious). But right now, errno is the only error handling mechanism
> established in the ABI, and it is transported by having the system call
> return a value between -1 and -4096 (though I'm not sure if that lower
> bound is general or just AMD64). Having a second errno would require
> either establishing a new system call to read it out, or modifying the
> ABI to allow for the information to be transported. There are many
> hurdles in the way of the latter (can't use return value, can't use
> registers, can only use memory on an opt-in basis, but then you can also
> just add another system call directly), so it's going to be the former.
> 
> Then the question arrises whether the abstraction is even correct.
> Technically, SELinux is just a plug-in security module, and a given
> Linux kernel may have many of those. Shall each get their own errno?
> Where does it end?
> 
> So yeah, it's not as simple as"just add another variable".

Yes, the underlying issue is just SELinux, LSMs, firewall/routing
policy, seccomp, etc. producing wrong error codes (or letting the user
configure it to produce wrong error codes), rather than hard-coding
the cause. For example in the case here, nobody needs to know EACCES.
The important piece of information to the application is that the
connection is not routeable, and this is ENETUNREACH or EHOSTUNREACH.
Routing is always a matter of some sort of policy, so "this was
blocked by fib6 [vs iptables vs just not having a route, etc.]" is not
meaningful to the application.

If there were a secondary way to give more detailed error information,
it might be nice to give it, but in the absence of that, the right
solution is just "don't replace well-specified general error codes the
application knows to handle with overly specific ones it can't (and
that might even mean something else to it, in the case of EINVAL).

Rich

      reply	other threads:[~2021-04-30 19:50 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05  2:44 Bob Richmond
2021-04-30  0:13 ` [musl] " Rich Felker
2021-04-30 12:38   ` Rich Felker
2021-04-30 16:40     ` Bastian Bittorf
2021-04-30 16:52       ` Rich Felker
2021-04-30 17:59         ` Julian Squires
2021-04-30 16:59     ` Jeffrey Walton
2021-04-30 18:49       ` Markus Wichmann
2021-04-30 19:50         ` Rich Felker [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210430195026.GZ2546@brightrain.aerifal.cx \
    --to=dalias@libc.org \
    --cc=musl@lists.openwall.com \
    --cc=nullplan@gmx.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

mailing list of musl libc

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/musl

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 musl musl/ https://inbox.vuxu.org/musl \
		musl@inbox.vuxu.org
	public-inbox-index musl

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.musl


code repositories for the project(s) associated with this inbox:

	https://git.vuxu.org/mirror/musl/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git